Server and client dual authentication (2)

The first is server-side authentication . Now the simpler way is to find a relevant certification service company , Follow the online tips , You can apply for a certificate , Some companies are free for low-level certificates , The certificate fees for advanced certificates range from several hundred to tens of thousands of yuan per year . I started from Wosign Applied for free DV certificate , Valid for three years , You can authenticate two domain names . The installation process is a little complicated , But it's easy to learn next time . Apply for the certificate knowledge server certificate , Prove to those who visit the website “ I am I ”, But it can't realize the client （ The visitor ） Certification of , That is not sure who can access . Asked the company , There is no clear answer .

The second way is not through the company , Issue certificates by software , You can issue certificates to the server , You can also send certificates to clients , Achieve two-way authentication . There is a German software called Xca, It's available online , After installing on the server , You can generate certificates . I tried , But it doesn't seem to achieve the expected effect . I don't doubt the usability of the software , It must be that some links in the operation process are not mastered .

The third way is Windows Self contained Active Directory Certificate Services （AD CS）. The original operating system has a certificate service module , Only by default, it is not installed . use ADCS Issue a certificate , The method is simple , If it is used internally or within a certain range, there is no problem , But if it is for public use , What does this certificate mean when others don't know you , I don't know if it's credible . Third party companies , In fact, it acts as a witness 、 The role of notaries . So for those who provide public services , You may need a certificate from a third party .

How to install and use AD CS? It took me two weeks , Asked several customer service , It didn't solve the problem in my installation , Later, I consulted Microsoft engineers , finally “ reluctantly ” Finished configuration , It has been tested and can be used .

In the installation AD CS There will be all kinds of unexpected problems in the process . The problem I have is , Add server role AD CS after , The installation went well , But in the end, let me tell you , Installation successful , But the required service is not started . Then it can't be used normally . The error message prompted is as follows ：Active Directory Certificate Services Setup failed , Error is as follows ： The server service was not started 0x80070842(win32:2114).

I checked a lot of information , There is an introduction ： Need to install file and printer sharing . installed , useless ！ later , What Microsoft said , After installation AD CS Can't start itself . use services.msc Just start it up .

Install well ADCS after , stay IIS Can be seen in ,default web site Here is the original aspnet_clint Catalog , Also added a directory ：CertEnroll, Two websites ： CertSrv、ocsp.

The path is a ： c:\Windows\system32\certsrv\certEnroll, c:\windows\system32\Certsrv\zh-cn, c:\windows\systemdate\ocsp, Default web site route ： %systemDrive%\inetpub\wwwroot

For all that , After installation AD CS There are still many wonderful things . adopt web You can apply for a certificate , But on the server side and the client browser, visit the same website , The displayed content should be different . You can't successfully apply for a certificate on the client , You can only use the browser on the server side to web Way to operate . This problem continues to be studied .

Yesterday I did another experiment , Restore the system to the pure state , Only the operating system Windows2008R2, No other programs are installed . In this case, configure ADCS and IIS Surprisingly smooth . This reminds us of , If you need to enable Certificate Services , Arrange immediately after installing the operating system , It will go a lot better , Because there is no interference from other software .

How to use AD CS Two way Authentication ？ There is a lot of information on the Internet , A period of time , I weighed my experiment and sent it to . To be continued .